Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .




By David Copland, Vice President at Kinetic Partners, a division of Duff & Phelps

Banks, asset managers and hedge funds have made a slow start in addressing the regulations and guidelines on cyber security promoted by the Securities and Futures Commission of Hong Kong (SFC) and the U.S. Securities and Exchange Commission (SEC). However, even in the wake of several high-profile breaches at companies including Sony, Target and JP Morgan Chase in 2014, the financial services industry’s response to security has been largely reactive.

Firms that have never experienced a significant cyber security breach in their organisation may feel thatthis problem only happens to ‘someone else’. As such, the sense of urgency to take preventative action is often noticeably absent. A study conducted by Risk Based Security, a leading information technology solutions provider, revealed that there were 1,922 data breaches reported and 904 million records exposedwithin the first nine months of 2014. Moreover, the number of security breaches is accelerating. Statistically speaking, the odds of your company being subjected to a security breach are now very real.

Remarkably, many companies still have weak security for computer user account authentication, opening the firm up to significant vulnerability. One common example is the‘password reset’ on web-based applications. Password resets that can be achieved by answering fixed questions represent a weak link in security, especiallywhen potential answers can be discovered with relative ease(e.g. a mother’s maiden name ora favourite pet’s name). The majority of cyber attacks can often be thwarted simply by strengthening these basic security controls, and by ensuring that anti-virus programmes, firewalls and site advisor programmes are regularly updated. Some new attacks may still get through, but the scope of such breaches can be limited to just one machine if sensible firewall rules are applied.

Relying on such good fortune is not a sound security strategy, however. It is imperative that firms prioritise investment in security measures and technologies,as attention in this area is vital for ensuring that the company is adequately protected from attack. After all, indifference to cyber security will not only result in a warning or a fine from the regulator, but could also cause serious damage to the business through the loss or theft of information. The initial costs of adequate cyber defence and infrastructure measures in the short run pale in comparison to the possible losses a firm would incur in the event of a breach.

When such security breaches are made public, the results can often be catastrophic. As such, CEOs, COOs and senior management need to be made aware of the possible consequences of cyber threats. For example, consider the impact of just these three threats:

  1. Denial of serviceattack. Thistype of attack can quicklyoverwhelm your IT network by consuming all of its capacity,preventing any trade orders from beingexecuted. Emails can’t be sent or received and information on your trading activity cannot be reported. As such, for a period of time, your IT assets may effectively be unusable, thusparalysingbusiness activity altogether.
  2. Cyber espionage from the internet.In this scenario, your network is scanned and sensitive data regarding clients or investmentsis stolen and put into the public domain. This will certainly attract regulatory attention and will no-doubt damage future business opportunities as well as reputation. Incidents like these tripled during 2014.
  3. Internal theft of key information. Information on intellectual property (such as research and trading strategies)can be stolen via USB sticks, emailed to a personal email account, or sentto what appears to be legitimate third-party. The consequences of such a breach may be severe if the information is used or revealed in the public domain.

In order to combat the above threats, many firms assume that complex defence technology solutions are required. However, the truth is that very simple security solutions can normally be applied. Quick preventative measures that defend against 99% of network security threats include a review or update of the configuration status of your operating system, your security software and the enforcement of security procedures.

Numerous security principles and solutions can then be implemented to address the remaining 1% of truly dangerous threats, such as stronger authentication methods, data loss prevention software, more robust data encryption techniques and the use of dedicated intrusion detection systems, to name a few.

Faced with so many options and tools, it can be difficult to know where to start. Firms risk overspending in this area – and could still end up leaving the company exposed to cyber security threats – unless they first assess what the biggest security threats are for their business.

Drawing on industry guidance by the National Institute of Standards & Technology (NIST)and the Office of Compliance Inspections and Examinations (OCIE) in the U.S., financial services firms can address this issue by implementing a comprehensive gap analysis and subsequently applying a risk-based approach to identify the key cyber security threats.

This approach involves performing an IT threat and vulnerability pair risk analysis, a type of analysisalready enforced by Monetary Authority of Singapore (MAS), the Singapore financial regulator. This will not only make it much easier forfirms to defend their key information assets, but will also help the firm build an on-going security implementation plan that covers the aspects of security that regulators will want to see .

The recent SEC alerts as well as thecircular that the SFC published on cyber security recommend that registered entities need to do more, and regulators have alreadyflaggedan extensive number of items for priority review. As a result, simply ‘doing nothing’ in response to the growing number of cyber threats is clearly a dangerous strategy.

Cyberspacehas moved beyond a supporting infrastructure and has become abattleground instead.Crucially, defending against yesterday’s attacks is not enough; firms need to shift their focus to the proactive management of security threats and vulnerabilities that matter to their particular business, rather than simply mirror what others are doing.

Firms need to stay ahead of the curve by identifying and addressing any threats to their most important information assets. In addition, they must implement and enforce appropriate security procedures and policies,as well as the right security technology, to mitigate whatever threats have been identified. Ranking the top cyber threats to the business will also ensure the level of technology spending is controlled.

A risk-based security strategy, underpinned by international standards, and which includes a comprehensive security gap analysis, remains the best way for firms to shape their cyber security solution. With this approach, firms will be in a much stronger position to protect their clients, their trading data and their portfolio information assets.

Global Banking & Finance Review


Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!

By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post